How LexisNexis and others may have unwittingly aided identity thieves

I am the last person to call for a worthless class action suit but is think something needs to be done to seriously punish these companies for allowing our data to be compromised.

Beyond that our entire identification program in the US is broken and needs to be rebuilt from the ground up. Social Security numbers were NEVER intended to be used the way they are now and the reality is it is extremely difficult to impossible for a person to reclaim their privacy when their information is compromised.

The system needs to be designed to err towards protecting and allowing people to reestablish their privacy over banks being able to track credit scores. That we have a system in place where people can have their paper lives stolen or ruined just so banks have an easier time making loans is beyond crazy.

The fact that most all of the companies managing this data are wholly incompetent when it comes to protecting it should be enough to require massive changes.

Never tell anyone your SSN. Unless you want to see a doctor, open a bank account, get internet into your house..

That's the thing... out of those three items you referenced, only ONE should ever even require the need for your SSN (hint: for tax reporting purposes).

Yeah the reality is we shouid collectively REFUSE to give our social security number to a company just because they want to let us PAY them money for cable tv. But we won't do it. I don't know if we will ever collectively take a stand and say "No. You do not need my social security number for me to buy something from you."

ID theft will continue to be a big problem until we hold the banks accountable for it. Like credit card fraud, the onus should NOT be on the person who's identity was used to request credit, but instead upon the company that GAVE the fraudulent person credit. How this remains backwards in this country is completely beyond me. I guess our politicians are happy to keep letting people's lives be destroyed as long as their corporate masters don't have to actually spend any money to stop it.

Actually would be intersting if it became a crime to grant credit to a person who had stolen someone else's id.

Never tell anyone your SSN. Unless you want to see a doctor, open a bank account, get internet into your house..

That's the thing... out of those three items you referenced, only ONE should ever even require the need for your SSN (hint: for tax reporting purposes).

Wait, you mean it's not an appropriate student id number that will be plastered on every class list?

Funny thing. I went to school at RIT and they, for a while, used your SSN as your student ID. Suddenly someone realized that the student ID cards stored this number magnetically without hashing or encryption, and anyone could read it with a reader. Then, it came to light that apparently there's a Federal (or NY State?) law that prohibits them from using the SSN for an ID number. Once they figured this out, they immediately transitioned the entire student body (about 15k people) + the faculty and staff to a separate, unique ID number and purged the SSNs from their database. The whole process took place over summer quarter.

If such a law exists for education institutions, why not for financial, infrastructure, or any other company?

At least they needed a reader to get the number. While in grad school in the 80s, we'd write our ssn on our outgoing mail as billing code for the school post office. So much easier than having to buy stamps.

Just another reminder that it's insane that we continue to use SSNs the way we do. Never tell anyone your SSN. Unless you want to see a doctor, open a bank account, get internet into your house...all the while telling your SSN to people who don't necessarily have any training about how to handle this kind of information and who may or may not have been background checked to see if they're riskier than average people to let handle this information.

Plus, never mind that this kind of identity theft seems to be a pretty uniquely American phenomenon since in other countries the number you use to open, say, a bank account, is not the same number for your entire existence.

[edit]What's even better about it is that in order to get Social Security passed, FDR and crew had to swear up down left and right that your SSN would not be used as a government ID number.

How are we supposed to protect our identity when everyone under the sun claims to need (read: wants) our data for everything?

I feel this is probably the question of the 21st century.

We know SSN - a publicly-visible unique identifier - is only secure until the adversary figures it out.

Adding the 'know' factor to that check (those 'secret questions') slow down the attacker as long as they don't know the answers; with so much info on ourselves in the wild, it seems a tad unrealistic to expect that this second factor of security will suffice for any longer, and this article shows how it is able to be defeated - compromise the security of the authority that holds that information.

We can continue adding factors ad nauseum, which only buys small amounts of time until the adversary is able to defeat this new measure, again bringing us back to the same situation.

On the other hand, if we perform a full-on paradigm shift in personal identification - assuming a way exists that is cost effective for the entire United States to undergo, another problem altogether - that buys us a longer period of time for the adversary to erode the security of that new paradigm, dependent A) on the immediate hackability of the solution, and B) the security under which those secrets are maintained by the Authority that holds them.

I have no answers on this one - this is a problem statement. It will take A) people far smarter than I to figure it out, and B) numbers of said people to make it happen. Also, C) common sense for the Authority that must ultimately implement it.

The research on this is quite old now. There is no way to use public information for two parties to securely mutually authenticate. You can do it with a shared secret. But we know that having passwords for each individual organisation doesn't work. You can do it with a trusted third party. Unfortunately, in the USA no one can agree on who that third party should be.

I find it interesting that the USA exists as a society given the lack of mutual trust. (see 'Liars and Outliers' for more on this theme.)

There are two problems here: 1) Companies that collect but don't protect vital information (such as Lexis/Nexis), 2) Companies that use vital information to validate ID (such as a mortgage company). Fine them if they release the information, or if they accept information from an identity thief. A fine of $5,000/company/incident, paid to each harmed individual (not the government), would help those harmed individuals get their lives back together. It would give the companies who collect and use this information a financial interest in protecting and validating it. This "the market will take care of things" approach is nonsense until the market actually pays for the damage it causes.

The "previous address" question raises another issue that you rarely hear discussed, but worries me a lot: There is far too much "publicly available" information that is easily available online. I understand the need for public records to be accessible, but they are just plain too accessible.

Two personal examples:

1. One day I needed my parents' address for something and I didn't remember their exact address. So I tried to look them up on line. Since they don't have a landline, I could not find their address on whitepages dot com. But starting from a link in an advertisement on the whitepages website, within just a few mouse clicks I had found a service that identified my mother, complete with maiden name, and a history of town names where she had lived. (I would have had to pay to get her precise address.) In addition, their was a list of people there "likely related to", which included myself, my father and my siblings. Clicking on my own name, I was presented with a list of most of the towns I had lived in. I did not pay to find out how much more information the website was selling about me. I did take the time to fill-out the opt-out form on their website, requesting that they not make my personal profile publicly available. I do not know whether they honored the opt-out, or how many other websites there are out there selling the same information.

2. When I was home shopping a few years ago, I was surprised at how much information the county I currently live in made available about each property online. As a potential home buyer it was interesting information, but far more than I needed. After I had purchased a home, I received a flood of mail from various companies trying to sell all sorts of insurance. (Uh, don't you guys know that I had to get home insurance before I could get a loan?) Based on what I had seen previously on the county website, I know that with an address in hand, and my name attached to it, there was a lot of information out there that I would not want others to easily be able to access.

So, in my opinion: If someone needs the information, make them go to the courthouse to get it.

Just another reminder that it's insane that we continue to use SSNs the way we do. Never tell anyone your SSN. Unless you want to see a doctor, open a bank account, get internet into your house...all the while telling your SSN to people who don't necessarily have any training about how to handle this kind of information and who may or may not have been background checked to see if they're riskier than average people to let handle this information.

[edit]What's even better about it is that in order to get Social Security passed, FDR and crew had to swear up down left and right that your SSN would not be used as a government ID number.

And if you are giving out your SSN number when you visit a doctor, get internet or other utility to your home, open a bank account then you are asking to be hacked. A SSN is not needed, and in fact illegal as a requirement for any of those. It is even illegal to be asked on a job application, and can only be asked for by an prospective employer if they tender you the job. I have never given out my SSN for any of the above, and have accounts at 3 different banks and none have my SSN. The following all cover bank accounts, and in fact you can sue a bank for denying you

31 CFR 103.28Before concluding any transaction with respect to which a report is required under Sec. 103.22, a financialinstitution shall verify and record the name and address of the individual presenting a transaction, as well as record the identity, account number, and the social security or taxpayer identification number, if any, ofany person or entity on whose behalf such transaction is to be effected. Key word if ANY. So they are required to ask for a SSN but notice the words "if any". Clearly it is not a requirement

31 CFR 103.34In the event that a bank has been unable to secure . . . the required identification, it shall nevertheless not be deemed to be in violation of this section if (i) it has made a reasonable effort to secure such identification, and (ii) it maintains a list containing the names, addresses, and account numbers of those persons from whom it has been unable to secure such identification, and makes the names, addresses, and account numbers of those persons available to the Secretary as directed by him.

So, there is even a provision in the law in case the bank can't get a SSN from a customer. They merely have to make a notation in record of those it hasn't been able to secure a number .As a matter of fact, if the bank tells you that it is required by law when it actually isn't they are in violation of the law.

18 U.S.C. Sec. 242 and 42 U.S.C. Sec. 1983Whoever, under color of any law, statute, ordinance, regulation, or custom, willfully subjects any person inany State, Territory, or District to the deprivation of any rights, privileges, or immunities secured or protected by the Constitution or laws of the United States, ... shall be fined under this title or imprisoned not more than one year, or both; 42 U.S.C. Sec. 1983 further provides that a violator shall be liable to the party injured in an action at law, suit in equity, or other proper proceeding for redress.

Now, that is pretty straightforward and easy to understand. The violator is even liable for damages!

42 U.S.C. Sec. 408 statesWhoever ... (8) discloses, uses, or compels the disclosure of the social security number of any person inviolation of the laws of the United States; shall be guilty of a felony and upon conviction thereof shall be fined under title 18 or imprisoned for not more than five years, or both.

Just another reminder that it's insane that we continue to use SSNs the way we do. Never tell anyone your SSN. Unless you want to see a doctor, open a bank account, get internet into your house...all the while telling your SSN to people who don't necessarily have any training about how to handle this kind of information and who may or may not have been background checked to see if they're riskier than average people to let handle this information.

Plus, never mind that this kind of identity theft seems to be a pretty uniquely American phenomenon since in other countries the number you use to open, say, a bank account, is not the same number for your entire existence.

[edit]What's even better about it is that in order to get Social Security passed, FDR and crew had to swear up down left and right that your SSN would not be used as a government ID number.

ID theft will continue to be a big problem until we hold the banks accountable for it. Like credit card fraud, the onus should NOT be on the person who's identity was used to request credit, but instead upon the company that GAVE the fraudulent person credit. How this remains backwards in this country is completely beyond me. I guess our politicians are happy to keep letting people's lives be destroyed as long as their corporate masters don't have to actually spend any money to stop it.

Actually would be intersting if it became a crime to grant credit to a person who had stolen someone else's id.

No it wouldn't. Banks would let their grunts get arrested while still forcing the requirement down customers' throats.

There are protections, I have an account with Credit Karma (free, but you have to provide SSN) to check out my credit record any time I want, and I do that monthly. You unfortunately have to be proactive, or pay for lifelock or something like that.

Funny thing. I went to school at RIT and they, for a while, used your SSN as your student ID.

I think it was a fairly recent federal law that changed it. It was absolutely atrocious when I went to school. Every teaching assistant had a list of student names and SSNs. Anyone seeing a pile of handed in test or term papers would also see a pile of names and SSNs. Totally asinine.

Yeah the reality is we shouid collectively REFUSE to give our social security number to a company just because they want to let us PAY them money for cable tv. But we won't do it. I don't know if we will ever collectively take a stand and say "No. You do not need my social security number for me to buy something from you."

Let me pose you this question: Where/when did you learn to not give it out? From the very first time I started thinking about college, everyone and their brother was asking me for an SSN. Any employer wants it, any bank wants it, etc. If you're one of those working for the cable company, or whatever, you also get it beat into your skull, so you're less resistant to people asking for it.